MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “inv.# 57949” (numbers will vary).
This email is send from the spoofed address “email@example.com” and has the following body:
Here is your invoice & Credit Card Receipt.
R. Kern Engineering & Mfg Corp.
Fax 909) 664-2116
The attached file SKMBT_C552D150123_16106.doc is a Word file with embedded macro that wll download the executable bin.exe from the following locations:
The trojan is known as W32/Injector.BTAV!tr, Kryptik.CEWB or Mal/Wonton-AN.
At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total.
Use the Virus Total for more detailed information.